From: Li Bin <huawei.libin@huawei.com> hulk inclusion category: bugfix bugzilla: 34234 CVE: NA -------------------------------- If the dxfer_len is greater than 256M then the request is invalid, it should call sg_remove_request in sg_common_write. Fixes: f930c7043663 ("scsi: sg: only check for dxfer_len greater than 256M") Signed-off-by: Li Bin <huawei.libin@huawei.com> Acked-by: Douglas Gilbert <dgilbert@interlog.com> Reviewed-by: Hou Tao <houtao1@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/scsi/sg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index c75324a..9c4b71e 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -808,8 +808,10 @@ static int sg_allow_access(struct file *filp, unsigned char *cmd) "sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n", (int) cmnd[0], (int) hp->cmd_len)); - if (hp->dxfer_len >= SZ_256M) + if (hp->dxfer_len >= SZ_256M) { + sg_remove_request(sfp, srp); return -EINVAL; + } k = sg_start_req(srp, cmnd); if (k) { -- 1.8.3